WFTools

0.1.44

Get-WinEventData.ps1

                                Function Get-WinEventData {

    <#

    .SYNOPSIS

        Get custom event data from an event log record

    .DESCRIPTION

        Get custom event data from an event log record

        Takes in Event Log entries from Get-WinEvent, converts each to XML, extracts all properties from Event.EventData.Data

        Notes:

            To avoid overwriting existing properties or skipping event data properties,

            we append a prefix (default: e_) to these extracted properties.

            Some events store custom data in other XML nodes.

            For example, AppLocker uses Event.UserData.RuleAndFileData

    .PARAMETER Event

        One or more event.

        Accepts data from Get-WinEvent or any System.Diagnostics.Eventing.Reader.EventLogRecord object

    .PARAMETER Prefix

        Append this to EventData keys to ensure uniqueness.  Defaults to e_

    .INPUTS

        System.Diagnostics.Eventing.Reader.EventLogRecord

    .OUTPUTS

        System.Diagnostics.Eventing.Reader.EventLogRecord

    .EXAMPLE

        Get-WinEvent -LogName system -max 1 | Get-WinEventData | Select -Property MachineName, TimeCreated, e_*

        #  Simple example showing the computer an event was generated on, the time, and any custom event data

    .EXAMPLE

        Get-WinEvent -ComputerName DomainController1 -FilterHashtable @{Logname='security';id=4740} -MaxEvents 10 | Get-WinEventData | Select TimeCreated, e_TargetUserName, e_TargetDomainName

        #  Find lockout events on a domain controller

        #    ideally you have log forwarding, audit collection services, or a product from a t-shirt company for this...

    .NOTES

        Concept and most code borrowed from Ashley McGlone

            http://blogs.technet.com/b/ashleymcglone/archive/2013/08/28/powershell-get-winevent-xml-madness-getting-details-from-event-logs.aspx

    .FUNCTIONALITY

        Computers

    #>

    [cmdletbinding()]

    param(

        [Parameter(Mandatory=$true,

                   ValueFromPipeline=$true,

                   ValueFromPipelineByPropertyName=$true,

                   ValueFromRemainingArguments=$false,

                   Position=0 )]

        [System.Diagnostics.Eventing.Reader.EventLogRecord[]]

        $Event,

        [string]$Prefix = 'e_'

    )

    Process

    {

        #Loop through provided events

        foreach($entry in $event)

        {

            #Get the XML...

            $XML = [xml]$entry.ToXml()

            #Some events use other nodes, like 'UserData' on Applocker events...

            $XMLData = $null

            if( $XMLData = @( $XML.Event.EventData.Data ) )

            {

                For( $i=0; $i -lt $XMLData.count; $i++ )

                {

                    #We don't want to overwrite properties that might be on the original object, or in another event node.

                    $Entry = Add-Member -InputObject $entry -MemberType NoteProperty -Name "$Prefix$($XMLData[$i].name)" -Value $XMLData[$i].'#text' -Force -Passthru

                }

            }

            $Entry

        }

    }

}